It seems that the Android Bootloader on select Motorola devices is vulnerable to a kernel command-line injection attack. This initroot attack was first discoveredby Aleph Research just last month when they announced it for the Nexus 6 smartphone. They assumed this attack was possible on other Motorola devices but hadn’t done any additional tests at the time. They were then contacted by a few people within the community and they were able to affirm their suspicion.

It was suggested to them that both the Moto G4 as well as the Moto G5 were both vulnerable to this kernel command-line injection attack. They went out and acquired these two devices and have since confirmed that the Android Bootloader (ABOOT) on these devices were indeed vulnerable to this same attack that they announced just last month (CVE-2016-10277). The only differences were that it required they port initroot to these two devices.

They did this by finding the SCRATCH_ADDR values used by the bootloaders, and then creating malicious initramfs archives. This whole process allows the attacker to inject a parameter (named initrd) which is able to force the Linux kernel to populate initramfs into rootfs from a specified physical address. They attack also allows an attacker to abuse the download function in ABOOT to put a malicious initramfs at a known physical address.

With a successful attack on the Moto G4, Moto G5 and the Nexus 6 (with other Motorola devices possibly being vulnerable as well), the attacker is able to gain an unrestricted root shell. The team at Aleph Research were able to complete both of these attacks on the latest OTA updates that were made available to them. Hower, Google has since fixed this in May’s security update and a patch even made its way into the mainline kernel